Magento software

Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL

Payment processors Visa and Mastercard, along with Adobe, this month attempted last-ditch efforts to get online store owners to update their platforms.

In three days, June 30, the Magento 1.x platform is expected to reach its official end-of-life (EOL) date, after which Adobe plans to stop offering security updates.

Stores that have not updated to the latest 2.x branch and are still running Magento 1.x installations will become very vulnerable to hacker attacks.

The danger is considered high because over the past three years hackers have widely exploited Magento bugs to break into stores and insert payment card theft code into payment forms – in a form of attack known as web skimming or Magecart.

Mastercard and Visa get involved

Earlier this week, payment processor Mastercard issued a security alert to its customers about the matter.

In a copy of that alert seen by ZDNet, the company said its Mastercard Account Data Compromise (ADC) team, charged with investigating security vulnerabilities affecting cardholder data, found that skimming incidents Web have proliferated in recent years. Most of them trace back to websites running older versions of Magento online store software.

Mastercard said 77% of businesses investigated in these incidents failed to comply with PCI DSS Requirement 6, the rule that requires store owners to use up-to-date systems. .

Mastercard’s alert comes after Visa sent its own in April. Just like Mastercard, Visa has warned store owners to update to the latest branch, Magento 2.3.x, to avoid attacks on their stores.

But while Mastercard has taken a lighter tone with its customers, Visa has been very blunt in its warning, making it clear that if merchants fail to update outside of the Magento 1.x branch, they will eventually no longer be PCI DSS compliant.

Losing PCI DSS accreditation spells disaster for online stores or any other business that handles online card payments, as they could become directly liable for any damages they cause to their customers.

Adobe has twice delayed the end of life of Magento 1.x

But the two payment processors are not the only ones to have notified their customers of the end of life of Magento 1.x. The same goes for Adobe, the company that now owns the Magento software and cloud server for hosting Magento stores.

Adobe, which acquired Magento in May 2018, has been more than gracious and lenient to Magento 1.x store owners.

The 1.x branch was released in 2008 and was originally expected to reach end of life in November 2018.

Three years prior, in 2015, the Magento team released the much-needed update 2.0, which was a total rewrite and architectural overhaul of the previous and outdated 1.x version.

Unfortunately, the community of Magento store owners did not welcome the new 2.x version with open arms. Due to the large number of breaking changes between the two releases, many store owners opted to stay on the older 1.x version and avoid having to reimplement their stores from scratch and avoid extended downtime – which is quite common practice in the webdev community.

After Adobe acquired the old Magento team, store owners asked the company to delay the end of life of the 1.x branch, which Adobe agreed to, pushing the official end of life to 1st. June 2020.

As the coronavirus (COVID-19) pandemic hit earlier this year, Adobe again graciously delayed Magento 1.x end-of-life, moving it from June 1 to June 30 to give store owners more time to deal with last-minute breakages at their sites and accommodate working-from-home schedules.

But that was all; the last EOL pushback.

This week, June 22, Adobe released the latest security updates for the Magento 1.x branch, and said they would be the last, asking store owners to update to Magento 2.x.

Nearly 110,000 stores still use Magento 1.x

But, sadly, despite store owners knowing since late 2018 that an EOL was coming, many failed to act. Around 75% of current Magento stores are still running on the 1.x branch.

According to cybersecurity firm SanSec, nearly 110,000 stores still operate the 1.x branch, while only 37,500 stores operate the new branch.


Once the 1.x hits the EOL this coming Wednesday, any new Magento 1.x exploit will be a disaster for the web store market as there will be no patch coming.

In conversations with experts in the web security community, this reporter learned that new Magento 1.x vulnerabilities hadn’t been spotted in a while. Many believe that hackers are sitting on their Magento 1.x exploits and waiting for the EOL to happen.

With web skimming attacks being more common than ever, firewalls are only a temporary solution and store owners will most likely have to seriously consider updating their sites, despite the outages and temporary downtimes that that implies.